Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
0cd87830a30b703bdeba484aa1303bc0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0cd87830a30b703bdeba484aa1303bc0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0cd87830a30b703bdeba484aa1303bc0N.exe
-
Size
78KB
-
MD5
0cd87830a30b703bdeba484aa1303bc0
-
SHA1
3ce059f09cc9478f1dca1a00b01d121c05ccbb03
-
SHA256
93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e
-
SHA512
d152dacf25c9e1a6f92c06f6a108393fdb4d4b164eca9c62a5843143b9ffade5b658fb33e51093ccbfbe481b8b57976a6f7a3b9e148be626893dd600d5dccaf8
-
SSDEEP
1536:H/V58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtP6W9/p1K6:fV58xAtWDDILJLovbicqOq3o+nr9/p
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp8EE7.tmp.exepid process 2552 tmp8EE7.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
0cd87830a30b703bdeba484aa1303bc0N.exepid process 2948 0cd87830a30b703bdeba484aa1303bc0N.exe 2948 0cd87830a30b703bdeba484aa1303bc0N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8EE7.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp8EE7.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0cd87830a30b703bdeba484aa1303bc0N.exevbc.execvtres.exetmp8EE7.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0cd87830a30b703bdeba484aa1303bc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8EE7.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0cd87830a30b703bdeba484aa1303bc0N.exetmp8EE7.tmp.exedescription pid process Token: SeDebugPrivilege 2948 0cd87830a30b703bdeba484aa1303bc0N.exe Token: SeDebugPrivilege 2552 tmp8EE7.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0cd87830a30b703bdeba484aa1303bc0N.exevbc.exedescription pid process target process PID 2948 wrote to memory of 2288 2948 0cd87830a30b703bdeba484aa1303bc0N.exe vbc.exe PID 2948 wrote to memory of 2288 2948 0cd87830a30b703bdeba484aa1303bc0N.exe vbc.exe PID 2948 wrote to memory of 2288 2948 0cd87830a30b703bdeba484aa1303bc0N.exe vbc.exe PID 2948 wrote to memory of 2288 2948 0cd87830a30b703bdeba484aa1303bc0N.exe vbc.exe PID 2288 wrote to memory of 2532 2288 vbc.exe cvtres.exe PID 2288 wrote to memory of 2532 2288 vbc.exe cvtres.exe PID 2288 wrote to memory of 2532 2288 vbc.exe cvtres.exe PID 2288 wrote to memory of 2532 2288 vbc.exe cvtres.exe PID 2948 wrote to memory of 2552 2948 0cd87830a30b703bdeba484aa1303bc0N.exe tmp8EE7.tmp.exe PID 2948 wrote to memory of 2552 2948 0cd87830a30b703bdeba484aa1303bc0N.exe tmp8EE7.tmp.exe PID 2948 wrote to memory of 2552 2948 0cd87830a30b703bdeba484aa1303bc0N.exe tmp8EE7.tmp.exe PID 2948 wrote to memory of 2552 2948 0cd87830a30b703bdeba484aa1303bc0N.exe tmp8EE7.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp"3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES90CC.tmpFilesize
1KB
MD5e5d9abacac08a3dd76bb23b947a541eb
SHA1daea68219201f44aabaf5d6ca8e1672815bf0808
SHA256b8804ce8cd49451f13e6f72697ba2d1dca185d623ac01628aa50e3bed93ab597
SHA5128be36b11c73d48c6ce3ff162bb9c77ce7cf99a4072df0d6cfd4cf62fa0f8bcf4a36624c3bd89ae46ba661fae31167e19b280479846c33af7a7e51eb9f6da7d6c
-
C:\Users\Admin\AppData\Local\Temp\duh3jati.0.vbFilesize
14KB
MD55121182d695f6ebd7dde4381a1c0771d
SHA11132ace86cef8dfcdfc07766a14606ff5ca5536d
SHA2563e3fe7c0343e92e7d0e4bfab40f2407ee2eb0218cdf6653f2f35a0ab30f6eb45
SHA512645e5ff5bf49e9daf69257557fdb97441011a1cc1884d90db73dd68a5c1dd6c2eaff63a965f13a95575981349527c23b5b35865daca56281a4b06d80d6c40501
-
C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdlineFilesize
266B
MD5c4bf374c274506f6a6adcfb05bcdd51d
SHA13b389b6447afd65d640c1094185df4a06c4ffa2d
SHA2564c1e013ca3b3b89772bf374aded6eac6e87e89a3564a64ce84f8b18b4de43f0d
SHA51202e5927ccd526d193698b561e805bfda6531ca3628bbdc7c32bb54e4e664b25f8a7e1979fa248a4c5ca6b37cecbbe2bba3d282fd92a94531756f5ff3c5d6ecc8
-
C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exeFilesize
78KB
MD53f36e702f4b5c23ab6ae0c3d4fe0644d
SHA1cbe1015762d755c2bb651225d6f663713e6f1428
SHA2564676f2c9eae9ef8c9c2e3410fc236ac01d6b7ab7cab3454aeec217585cb82c9a
SHA512b66eab3e889fe86c497d9f86b7c222acddef9c01aff09fa36dc6e43bf94028ebdc4614b83e896ee759e3903a5c875f0af0b9690bd084473d69659f2244bfbdbc
-
C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmpFilesize
660B
MD523622f3c021eb50ae7c2f5bc0477086c
SHA14429c9d7b40a55ae5da0d0deb4b644f0b78fb019
SHA256189f4a7a281dba6ce0ccf578041fa98f9fc03c3ba2d853906957e272d9332ea4
SHA512478c0de7a36f8060fa3e0af2b11deb00b34abd4f50453267a6c4cbfd20994c3cf9005aced50ed2c19b1659bfedf0aac70106670cffb8249e6ada54ca9cd5a4dc
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c
-
memory/2288-8-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2288-18-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2948-0-0x0000000073E41000-0x0000000073E42000-memory.dmpFilesize
4KB
-
memory/2948-1-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2948-2-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB
-
memory/2948-24-0x0000000073E40000-0x00000000743EB000-memory.dmpFilesize
5.7MB